The Federal Trade Commission’s (FTC’s) “red flags” rules for financial institutions and creditors to fight identity theft require compliance by most healthcare providers on Friday, May 1, 2009. HIPAA.com recommends that healthcare providers examine three documents, which we have available at HIPAA.com, to determine their responsibilities with respect to compliance with the red flag rules. These documents are: » Identity Theft Red Flag Flags and Address Discrepancies Under the Fair and Accurate Credit Transactions Act of 2003; Final Rule, published in the Federal Register on November 9, 2007. The preamble of the Final Rule, which discusses the purpose, intent, and scope of coverage, appears on pages 63718-63733. Of particular importance…
Tag: NIST
Identity Theft Red Flags and Address Discrepancies
DEPARTMENT OF THE TREASURY 12 CFR Part 41, 222, 334, 364, 571 and 717 16 CFR Part 681 Idendity Theft Red Flags and Address Discrepancies Under the Fair and Accurate Credit Transactions Act of 2003 AGENCY: Office of the Secretary, HHS. ACTION: Joint Final Rules and Guidelines. Download (Requires Acrobat Reader)
Evaluation-What This HIPAA Security Rule Administrative Safeguard Standard Means
This is the eighth Administrative Safeguard Standard of the HIPAA Administrative Simplification Security Rule. Its implementation specification is embodied in the language of the standard itself, and it is required of covered entities. Further, as HIPAA.com has noted earlier, business associates also will be required to comply with the Security Rule standards, effective February 17, 2010, as provided for in the HITECH Act provisions of the American Recovery and Reinvestment Act, signed by President Obama on February 17, 2009. What is Required Perform a periodic technical and non-technical evaluation, based initially upon the standards implemented under this rule and subsequently, in response to environmental or operational changes affecting the security of…
Contingency Plan: Disaster Recovery Plan-What to Do and How to Do It
In our series on the HIPAA Administrative Simplification Security Rule, this is the second implementation specification for the Administrative Safeguard Standard (Contingency Plan). This implementation specification is required. As HIPAA.com has noted in earlier postings, with enactment of the American Recovery and Reinvestment Act of 2009 (ARRA) on February 17, 2009, business associates also will be required to comply with the Security Rule standards, effective February 17, 2010. What to Do Establish (and implement as needed) procedures to restore any loss of data. How to Do It The content and procedures of a covered entity’s disaster recovery plan will be » Outcomes of the covered entity’s identification of vulnerabilities and…
Security Management Process: Risk Analysis-What to Do and How to Do It
Security Management Process is the first administrative standard of the Security Rule, and Risk Analysis is the implementation specification. Each covered entity is required to conduct a risk analysis or assessment to determine vulnerabilities and threats and to identify and put in place risk mitigation measures for safeguarding electronic protected health information. Electronic protected health information is the content of the HIPAA Administrative Simplification Standard Transactions and of the expected growing adoption of clinically-based electronic health record systems. What to do: Conduct an accurate and thorough assessment of potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity. How to…